IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

ATTY.'S DOCKET: AKKAR=1 

In re Application of: ) Art Unit: 2137 

Mehdi-Laurent AKKAR ) Examiner: Z. A. Davis 

Appln. No.: 09/771,967 ) Washington, D.C. 

Filed: January 30, 2001 ) Confirmation No. 2638 

For: METHOD OF EXECUTING A ) 
CRYPTOGRAPHIC PROTOCOL ) 
BETWEEN TWO ELECTRONIC... ) 

DECLARATION OF INVENTORS UNDER 35 U.S.C. § 1.131 

Each of the undersigned, Mehdi-Laurent Akkar and Paul Dischamp, is 
a co-inventor of the above-identified application and we are collectively the inventors 
of the above-identified application. 

We understand that the examiner has applied U.S. Patent No. 
6,594,761 to Chow in a rejection of the above-identified patent application. 

We hereby declare that the aforementioned patent by Chow is not prior 
art to our invention, inasmuch as we had actually reduced to practice, and thus made 
our invention, prior to the June 9, 1 999 filing date of Chow. 

1 . In evidence of such reduction to practice, we attach herewith a copy 
of a description of the invention and a listing of computer code as Exhibit A, having a 
date (redacted) which is prior to the June 9, 1999, filing date of Chow. 

5. The first page of Exhibit A states as follows: 

Anti-DPA Improvements in S-BOXes : 

Authors : Mehdi-Laurent AKKAR 
Paul DISCHAMP 



Date : 



REDACTED 



1 - Explanations 

- The 8 S-BOXes are processed randomly, so as to: 

- divide the height of peaks by 8 on the signal; 

- avoid a 1 -round attack since it is impossible to know which S-BOX 
is processed. 

- Bitwise inverted DES is carried out randomly (one of the 
characteristics of DES is that this is possible (see Schneier or 
Stinson)). For that purpose, a second set of bitwise complemented 
S-BOXes is used both on input and output, so that any attempt to 
predict which bits circulate within the component will be erroneous. 
However, at the final XOR output of each round, the output is once 
again the appropriate one and has to be re-complemented (in the 
case of an inverted round). If this is done, at some point, whatever 
the round (whether it is inverted or not), the message will be 
available in its "clear" form, so that DPA can then be applied. 
Therefore, before and after each round, the left part of the message 
is randomly complemented or not {in the normal case: inverse, and 
then inverse, OR non-inverse, and then non-inverse // in the inverted 
case: inverse, and then non-inverse, OR non-inverse, and then 
inverse). For this purpose, the following steps are carried out: 
"XORing" is performed with X, and then with X, when nothing has to 
be changed, and "XORing" is performed with X and X" 1 (X's 
complement), thus yielding the inverse. To make this inconspicuous, 
X is used in such a way that XORing with X and X" 1 consumes the 
same amount of processing (in this case, 104 and 151). X could also 
be chosen randomly. 

- Finally, in order to avoid an attack against a large number of 
messages in which the random generator's bias could be used, the 
difference between the normal/inverted DES is checked. 

The Code of our DES using these countermeasures is as follows: 



6. Exhibit A in its entirety was sent, the day after its creation, by 
mail to our patent attorney, Mr. J. Barbin, at Cabinet Bonnet-Thiron. A copy of the 
letter is attached as Exhibit B to this declaration. 

7. Exhibit B states as follows: 

Mr J. Barbin 

Cabinet Bonnet-Thirion 

- 2 - 



1 2, avenue de la Grande-Armee 
75017 Paris 



Re : filing of a Soleau enveloppe (CSP99010) 
Dear Sirs 

Please file on our behalf the enclosed six pages in a Soleau 
enveloppe in the name of De La Rue Cartes & Systemes. 
Thank you in advance and best regards. 

D Pottier 

8. All of work done in preparation of Exhibit A was done by us or 
under the direct supervision of at least one of us, and the computer code shown 
implements the claimed invention. 

9. The work reflected in Exhibit A was conducted in France after 
January 1 , 1 996, and prior to June 9, 1 999. 

We hereby declare that all the statements made herein of our own 
knowledge are true and that all statements made on information and belief are 
believed to be true; and further that these statements were made with the knowledge 
that willful false statements and the like so made are punishable by fine or 
imprisonment, or both, under section 1001 of Title 18 of the United States Code and 
the such willful false statements may jeopardize the validity of the application or any 
patent issued thereon. 

Date: October 27th, 2009 / Mehdi-Laurent Akkar/ 

Mehdi- Laurent Akkar 

Date: October 27 th , 2009 / Paul Dischamp/ 

Paul Dischamp 
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Ameliorations anti-DPA sur ies S-BOX: 



Auteurs: Mehdi-Laurent AKKAR 
Paul DISCHAMP 

Date: REDACTED 



1 - Explications 

- Les 8 S-BOX sont traitees dans un ordre aleatoire, ce qui pennet: 

- de diviser la hauteur des pics par 8 sur le signal. 

- d'eviter une attaque en 1 coup car Ton ne sait pas quelle est la S-BOX traitee. 

- De maniere aleatoire on effectue le DES de maniere inversee. bit a bit (une des 
caracteristique du DES est que c'est possible (cf. Schneier ou Stinson)). Pour cela 
on utilise un deuxieme jeu de S-BOX complementees bit a bit en entree et en 
sortie, ce qui fausse toute prediction sur les bit circulant dans le composant. 
Cependant a la sortie du xor final de chaque round: la sortie est a nouveau la 
bonne et il faut (dans le cas d'un round inverse) la recomplementer. Si Ton 
precede ainsi, quel que soit le round (inverse ou non), a un moment le message 
se retrouve en "clair" et Ton peut alors appliquer un DPA. De ce fait avant et 
apres chaque round on complemente ou non de maniere aleatoire la partie gauche 
du message (dans Is cas normal: inverse puis inverse, OU non inverse puis non 
inverse // dans le cas inverse: inverse puis non inverse, OU non inverse puis 
inverse). Pour cela on precede ainsi: on "xore" avec X puis avec X quand on ne 
veut rien faire et Ton "xore" avec X et X* 1 (complement de X) ce qui donne 
1'inverse. Pour que ce ne soit pas visible on utilise X tel que le xor avec X et X' 1 
consomme autant (dans ce cas 104 et 151). On pourrait egalement utiliser X tire 
aleatoirement. 

- Enfin aim d'eviter une attaque sur un grand nombre de messages ou le biais du 
generateur aleatoire pourrait etre utilise, on controle la difference de DES 
effectue normal/ inverse. 



Le Code de notre DES utiiisant ces contre-mesures est: 




EXHIBIT A 



Paris, REDACTED 

De: D. POTHER 

— tel. 33 1 49 69 24 66 

DeLaRue fax 33 1 49 69 25 03 



Telephone 
Marketing fax 
R&D fax 



•f 33 (0)1 53 62 51 00 
+ 33 (0)1 49 69 25 02 
+ 33 (0)1 49 69 25 03 



http://www.delaru8.cc 



Monsieur J. BARB1N 
Cabinet Bonnet-Thirion 
12 avenue de la Grande Armee 
75017 PARIS 



Votre Ref. 

Notre Ref. DLRCS/DP/DEV/dp/991 08 



Objet: Depot d'une enveloppe Soleau (CSP 9901 0) 



Monsieur, 



Je vous prie de bien vouloir deposer pour nous les six feu i lies jointes dans une enveloppe 
Soieau au nom de De La Rue Cartes & Systemes. 

Vous en remerciant d'avance, je vous prie de croire, Monsieur, a I'assurance de mes 
sentiments distingues. 




EXHIBIT B 




